def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
flag_list = [
"directory listing for",
"<title>directory",
"<head><title>index of",
'<table summary="directory listing"',
'last modified</a>',
]
for p in urls:
if not Share.in_url(p):
Share.add_url(p)
try:
r = requests.get(p, headers=headers)
for i in flag_list:
if i in r.text.lower():
out.success(p, self.name)
break
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
flag = {
"/.svn/all-wcprops": "svn:wc:ra_dav:version-url",
"/.git/config": 'repositoryformatversion'
}
for p in urls:
for f in flag.keys():
_ = p.rstrip('/') + f
if not Share.in_url(_):
Share.add_url(_)
try:
r = requests.get(_, headers=headers)
# out.log(_)
if flag[f] in r.text:
out.success(_, self.name)
except Exception as e:
pass
def printProgress():
msg = '%s success | %s remaining | %s scanned in %.2f seconds' % (
out.count(), KB["task_queue"].qsize(), KB["finished"],
time.time() - KB['start_time'])
_ = '\r' + ' ' * (KB['console_width'][0] - len(msg)) + msg
Share.dataToStdout(_)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = [url]
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
if not re.search('^-?\d+(\.\d+)?$', v):
continue
data = copy.deepcopy(params)
# 判断条件:
# 1. -randint !== origin
# 2. +randint-randint == origin
payload1 = "{0}+{1}".format(v, random.randint(10, 100))
data[k] = payload1
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html1 = r.text
if fuzzy_equal(resp_str, html1, 0.97):
continue
payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
if fuzzy_equal(resp_str, html2, 0.8):
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
# out.log(msg)
out.success(link, self.name, payload=k, condition=msg)
break
def log(self, msg):
# Share.dataToStdout(value + '\n')
width = KB["console_width"][0]
while len(msg) > width:
_ = msg[:width]
Share.dataToStdout('\r' + _ + '\n\r')
msg = msg[width:]
Share.dataToStdout('\r' + msg + '\n\r')
printProgress()
def run_threads(num_threads, thread_function, args: tuple = ()):
threads = []
KB["continue"] = True
KB["console_width"] = getTerminalSize()
KB['start_time'] = time.time()
KB['finished'] = 0
KB["lock"] = threading.Lock()
KB["result"] = 0
KB["running"] = 0
try:
info_msg = "Staring {0} threads".format(num_threads)
logger.info(info_msg)
# Start the threads
for num_threads in range(num_threads):
thread = threading.Thread(target=exception_handled_function,
name=str(num_threads),
args=(thread_function, args))
thread.setDaemon(True)
try:
thread.start()
except Exception as ex:
err_msg = "error occurred while starting new thread ('{0}')".format(
str(ex))
logger.critical(err_msg)
break
threads.append(thread)
# And wait for them to all finish
alive = True
while alive:
alive = False
for thread in threads:
if thread.isAlive():
alive = True
time.sleep(0.1)
except KeyboardInterrupt as ex:
KB['continue'] = False
if num_threads > 1:
logger.info("waiting for threads to finish{0}".format(
" (Ctrl+C was pressed)" if isinstance(ex, KeyboardInterrupt
) else ""))
try:
while threading.activeCount() > 1:
pass
except KeyboardInterrupt:
raise
except Exception as ex:
logger.error("thread {0}: {1}".format(
threading.currentThread().getName(), str(ex)))
traceback.print_exc()
finally:
Share.dataToStdout('\n')
def execute(self, request: Request, response: Response):
self.target = ''
self.requests = request
self.response = response
output = None
try:
output = self.audit()
except NotImplementedError:
msg = 'Plugin: {0} not defined "{1} mode'.format(self.name, 'audit')
Share.dataToStdout(Share.dataToStdout('\r' + msg + '\n\r'))
except (ConnectTimeout, requests.exceptions.ReadTimeout, urllib3.exceptions.ReadTimeoutError, socket.timeout):
retry = RETRY
while retry > 0:
msg = 'Plugin: {0} timeout, start it over.'.format(self.name)
# Share.dataToStdout('\r' + msg + '\n\r')
try:
output = self.audit()
break
except (
ConnectTimeout, requests.exceptions.ReadTimeout, urllib3.exceptions.ReadTimeoutError,
socket.timeout):
# msg = 'Plugin: {0} time-out retry failed!'.format(self.name)
# Share.dataToStdout('\r' + msg + '\n\r')
retry -= 1
else:
msg = "connect target '{0}' failed!".format(self.target)
# Share.dataToStdout('\r' + msg + '\n\r')
except HTTPError as e:
msg = 'Plugin: {0} HTTPError occurs, start it over.'.format(self.name)
# Share.dataToStdout('\r' + msg + '\n\r')
except ConnectionError:
msg = "connect target '{0}' failed!".format(self.target)
# Share.dataToStdout('\r' + msg + '\n\r')
except TooManyRedirects as e:
# Share.dataToStdout('\r' + str(e) + '\n\r')
pass
except RemoteDisconnected as e:
pass
except NewConnectionError as ex:
pass
except PoolError as ex:
pass
except Exception as e:
if DEBUG:
Share.dataToStdout('\r' + "[x]{} report:".format(self.name) + str(e) + '\n\r')
traceback.print_exc()
return output
def log(self, msg):
width = KB["console_width"][0]
outputs = []
msgs = msg.split('\n')
for i in msgs:
line = i
while len(line) >= width:
_ = line[:width]
outputs.append(_)
# Share.dataToStdout('\r' + _ + ' ' * (width - len(msg)) + '\n\r')
line = line[width:]
outputs.append(line)
for i in outputs:
Share.dataToStdout('\r' + i + ' ' * (width - len(i)) + '\n\r')
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = get_links(resp_str, url, True)
links.append(url)
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
sql_flag = '鎈\'"\('
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(link,
self.name,
payload="{}={}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
for p in urls:
filename = self.file()
success = []
for f in filename:
_ = p.rstrip('/') + f
if not Share.in_url(_):
Share.add_url(_)
try:
r = requests.get(_, headers=headers)
# out.log(_)
if r.status_code == 200:
success.append({"url": _, "code": len(r.text)})
# print(self.name)
except Exception as e:
pass
if len(success) < 5:
for i in success:
out.success(i["url"], self.name)
else:
result = {}
for item in success:
length = item.get("len", 0)
if length not in result:
result[length] = list()
result[length].append(item["url"])
for k, v in result.items():
if len(v) > 3:
continue
for i in v:
out.success(i, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = urlparse(url)
# 判断带有php或无后缀的
basepath = os.path.basename(p.path)
if "." in basepath and ".php" not in basepath:
return
if "Warning" in resp_str and "array given" in resp_str:
out.success(url, self.name)
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
del data[k]
data[k + "[]"] = v
try:
_ = prepare_url(netloc, params=data)
if Share.in_url(_):
continue
Share.add_url(_)
r = requests.get(_, headers=headers)
if "Warning" in r.text and "array given" in r.text:
out.success(_, self.name)
except:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = [url]
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
sql_flag = [
"'and'{0}'='{1}",
'"and"{0}"="{1}'
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = flag.format(rand_str, rand_str)
data[k] = v + payload1
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88: # 相似度随手一设~
continue
# false page
payload2 = flag.format(random_str(2), random_str(2))
data[k] = v + payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
radio = GetRatio(resp_str, html2)
if radio < 0.68: # 相似度随手设置
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(k=k, v=v, v1=payload1,
v2=payload2)
# out.log(msg)
out.success(link, self.name, payload=k, condition=msg)
break
def log(self, msg):
# Share.dataToStdout(value + '\n')
Share.dataToStdout('\r' + msg + '\n\r')
printProgress()
def execute(self, request: Request, response: Response):
self.target = ''
self.requests = request
self.response = response
output = None
try:
output = self.audit()
except NotImplementedError:
msg = 'Plugin: {0} not defined "{1} mode'.format(
self.name, 'audit')
Share.dataToStdout(Share.dataToStdout('\r' + msg + '\n\r'))
except ConnectTimeout:
retry = RETRY
while retry > 0:
msg = 'Plugin: {0} timeout, start it over.'.format(self.name)
Share.dataToStdout('\r' + msg + '\n\r')
try:
output = self.audit()
break
except ConnectTimeout:
msg = 'POC: {0} time-out retry failed!'.format(self.name)
Share.dataToStdout('\r' + msg + '\n\r')
retry -= 1
else:
msg = "connect target '{0}' failed!".format(self.target)
Share.dataToStdout('\r' + msg + '\n\r')
except HTTPError as e:
msg = 'Plugin: {0} HTTPError occurs, start it over.'.format(
self.name)
Share.dataToStdout('\r' + msg + '\n\r')
except ConnectionError as e:
msg = "connect target '{0}' failed!".format(self.target)
Share.dataToStdout('\r' + msg + '\n\r')
except TooManyRedirects as e:
if e:
Share.dataToStdout('\r' + str(e) + '\n\r')
except Exception as e:
if e:
Share.dataToStdout('\r' + str(e) + '\n\r')
return output